Site blog

Les Bell
by Les Bell - Tuesday, 25 October 2022, 9:12 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Australia Increases Penalties for Privacy Breaches

Following much public anger, hand-wringing and outrage on the part of politicians and pundits, Australia's Commonwealth Government has concluded that the answer is tougher penalties. In a media statement Attorney-General Mark Dreyfus stated that

"existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour".

"The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:

  • $50 million
  • three times the value of any benefit obtained through the misuse of information; or
  • 30 percent of a company's adjusted turnover in the relevant period."

That might focus the attention of boards and C-suites, and will doubtless meet with the approval of the public. It might even result in CISO's getting a more sympathetic hearing when budget review time comes around, with increased spending in . . . well, some areas of security efforts.

But it's doubtful whether it will do anything to improve things at the coalface. If the popular theory that the Optus breach which triggered all this brow-beating is correct, and the data was exposed via a misconfigured API endpoint, then nothing would be different - no amount of punitive incentivization will improve the Mark I human's proclivity to errors in the form of slips and lapses. And for developers who may well find themselves walking the plank if caught anywhere near a breach, or CISO's who suddenly find their title has change to DFG (Designated Fall Guy), the size of the fine is irrelevant.

On the other hand, I predict a boom in half-day and one-day courses for directors and senior managers on cybergovernance, with a good lunch as a bonus.

Dreyfus, Mark, Tougher penalties for serious data breaches, media release 22 October 2022. Available online at https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022.

Cybergovernance Principles Launch Hacked

Speaking of which . . . The Australian Institute of Company Directors (AICD) has produced a new set of cybersecurity governance principles, and was set to launch them with an online event yesterday. The event had gained the support of the relevant Federal Minister, Clare O'Neil, as well as CEO of the Cyber Security Cooperative Research Centre, Rachael Falk.

Everything was set for thousands of online attendees to learn how to secure their companies and their systems. But when they tried to log on, the conference did not start on time. As they waited, a fake Eventbrite link, which requested credit card details, was posted to the related LinkedIn chat. When AICD officials asked participants not a follow links in the chat, it was followed by an official-looking AICD link - which also didn't work.

Eventually, the AICD was forced to give up and cancel the event, with MD & CEO, Mark Rigotti, forced to warn anyone who had submitted credit card details to contact their bank, and to apologise for the issues. "We recognise this experience has fallen well below the high standards our members rightly expect of the AICD", he stated.

Apparently, the Magic Wand of Cybergovernance isn't quite as effective as claimed; regular readers are reminded of Putt's Law:

Technology is dominated by two types of people:

Those who understand what they do not manage
Those who manage what they do not understand

Towell, Noel and Kishor Napier-Raman, Hackers hit cybersecurity conference, The Sydney Morning Herald, 24 October 2022. Available online at https://www.smh.com.au/national/hackers-hit-cybersecurity-conference-20221024-p5bsiq.html.

Meanwhile, Another Take on Incentives

In the latest issue of Communications of the ACM, the former Editor-in-Chief of that august journal, Moshe Y. Vardi, also ponders these problems. In 2017, he wrote, "So here we are, 70 years into the computer age and after three ACM Turing Awards in the area of cryptography (but none in cybersecurity), and we still do not seem to know how to build secure information systems." Five years on, the only change he would make is subsituting 75 for 70.

Vardi points the finger at the externalities in the system: whatever we do in the digital world involves disclaimers; whether installing new software or signing in to an online service, we accept terms and conditions which allow the vendors to escape liability:

'As the philosopher Helen Nissenbaum pointed out in a 1996 article, while computing vendors are responsible for the reliability and safety of their product, the lack of liability results in lack of accountability. She warned us more than 25 years ago about eroding accountability in computerized societies. The development of the "move-fast-and-break-things" culture in this century shows that her warning was on the mark.'

Vardi suggests that the way to address the cyber-insecurity issue may well be regulation, which overcome the power imbalance between vendors and their customers, and prevent them escaping accountability. The question that comes to mind is, what would we - or governments - regulate? Perhaps it is time to shift the pendulum away from playing catch-them-if-you can in the incident response phase, and back towards engineering security into systems.

Vardi, Moshe Y., Accountability and Liability in Computing, Communications of the ACM, November 2022, Vol. 65 No. 11, Page 5. Available online at https://cacm.acm.org/magazines/2022/11/265836-accountability-and-liability-in-computing/fulltext.

Pentesters Pwned By Malware-Laced PoC's

The dire state of penetration testing is highlighted by a new report from researchers at the Leiden Institute of Advanced Computer Science, who anaysed proof-of-concept exploit code posted to GitHub. Using three fairly simply techniques:

  1. Comparing the committer's IP addres to public blacklists, VirusTotal and AbuseIPDB
  2. Submitting binaries and their hashes to VirusTotal for analysts, and
  3. Deobfuscation of base64 and hex values before performing the above two checks

the researchers found that 4,893 examples, out of the 47,313 that they downloaded in total, made calls to malicious IP addresses, carried obfuscated malicious code, or included trojanized binaries. In other words: download a PoC from GitHub, and you have a 10.3% chance of catching something nasty. More to the point, if you use the code in an engagement without checking it, your client could catch some nasty.

The current emphasis on pen-testing as a way of improving security posture is fine - if the testing is performed by highly-skilled testers. Unfortunately, there aren't enough really skilled testers out there. At the bottom of the market, many rely upon the basic testing performed by automated scanners, while some go a little further, with the aid of Kali Linux and a library of YouTube videos. The better ones will dig a bit deeper, using the capabilities of tools like Metasploit and Cobalt Strike, especially for red-teaming.

But even those tools run out of steam, and so the temptation is huge, to just download any relevant PoC's and see if they work. The results could be devastating. It is incumbent on professional pen-testers to

  • Read and understand the code they are about to run against or on their own or their customers' networks
  • Use easily-available, free tools like VirusTotal to analyze binaries
  • Analyze the code manually, taking the time to deobfuscate where necessary. If this will take too long, then explode it in a sandbox while monitoring it for malicious behaviour and suspicious network traffic

One has to ask: why would code in a proof-of-concept be obfuscated anyway? There are a few sort-of-good reasons, but if it's to stop casual reading and understanding, that's a huge red flag.

El Yadmani, Soufian, Robin The and Olga Gadyatskaya, How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub, arXiv pre-print, 15 October 2022. Available online at https://arxiv.org/abs/2210.08374.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Monday, 24 October 2022, 9:06 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


VMWare Vuln Attracts Ransomware, Cryptominers

Back in April, VMware disclosed CVE-2022-22054, a remote code execution vulnerability in VMware ONE Access with a CVSS score of 9.8, and released a patch for it. It didn't take long for threat actors to reverse-engineer the patch and develop exploits which rapidly spread in the wild.

You would think this wouldn't be a huge problem, since the patch was available - but in August, researchers at Fortinet Labs saw a massive spike in activity, coupled with a change in post-exploitation tactics. Prior to this, threat actors had been using the exploit to find and exfiltrate sensitive information such as credentials, but the August attackers switched to installing the Mirai botnet, or alternatively a combination of the RAR1Ransom ransomware and a cross-platform cryptominer called GuardMiner.

The fact that this campaign is still running, months after a patch became available, shows that many enterprises are not being sufficiently proactive with their patch management programs.

Lin, Cara, Mirai, RAR1Ransom and GuardMiner - Multiple Malware Campaigns Target VMware Vulnerability, blog post, 20 October 2022. Available online at https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability.

Google Project Aims to Improve Supply Chain Security

Google has announced a new open-source project it calls GUAC (pronounced like the dip) to assist with supply chain security. GUAC, or Graph for Understanding Artifact Composition, has been kicked off by the cloud service provider together with Kusari, Citi and Purdue University. It aggregates software security metadata from SBOM's, signed attestations from SLSA and vulnerability databases, into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them.

Querying this database will help to prioritize vulnerability management and remediation workflows, by answering important questions such as which enterprise applications are affected by a newly-disclosed vulnerability (a huge problem for many enterprises following Log4j, for example), or which are the most used criticial components in enterprise systems.

At this stage, GUAC exists as a proof-of-concept that can ingest SLSA, SBOM and Scorecard documents and support simple queries. The focus is now turning to scaling the current capabilities and adding new document types for ingestion.

Lum, Brandon, et. al., Announcing GUAC, a great pairing with SLSA (and SBOM)!, Google Security Blog, 20 October 2022. Available online at https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html.

Ransomware Group Targets Healthcare Sector

The FBI, US Cybersecurity and Infrastructure Security Agency and Dept. of Health and Human Services have issued a joint cybersecurity advisory outlining the TTP's, IOC's and general background on a group called "Daixin Team" who have predominantly been targeting the US healthcare sector with ransomware and extortion operations. Although this advisory is based on US experience, there's no reason to assume the group has not been active in Australia as well, and the advice is generally applicable.

Daixin Team has been active since at least June 2022, deploying ransomware to encrypt servers containing a variety of health information, but also exfiltrating personal identifiable information and patient health information, then threatening to release it if a ransom is not paid.

The group has used various techniques to gain initial access, including exploiting an unpatched vulnerabilitiy in a VPN server, or using previously-compromised credentials. Once access has been gained, they move laterally via SSH and RDP connections, and will attempt privilege escalation via credential dumping and pass-the-hash attacks. The advisory provides a full run-down, and makes for interesting reading.

CISA, #StopRansomware: Daixin Team, Alert AA22-294A, 21 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-294a.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Saturday, 22 October 2022, 6:42 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Office Web Apps Server SSRF/RCE Vulnerability

During a routine penetration test involving Microsoft's Office Online Server, MDSec found a server-side request forgery vulnerability which can be further exploited to achieve remote code execution on the server. The vulnerability is located in the /op/view.aspx API, which is normally used to retrieve Office documents for display in a browser.

The API leaks timing information which can be used to enumerate active hosts within the victim's network, but more interestingly, the connections made by the server's requests were made using the host's machine account. This can be used to exploit LDAP (to add shadow credentials) or Active Directory Certificate Services (to obtain a certificate, and from that a Ticket Granting Ticket for the server). From there, it is relatively simply to obtain a forged service ticket for the server, and thus local admin privileges on the server.

Microsoft responded that this is the way the API is intended to work, and suggested some mitigation steps.

Tanwar, Manish, Microsoft Office Online Server Remote Code Execution, blog post, 19 October 2022. Available online at https://www.mdsec.co.uk/2022/10/microsoft-office-online-server-remote-code-execution/.

Android Malware Spies on Iranian Citizens

Researchers from ESET have identified a new version of the FurBall Android malware being used by APT-C-50 top conduct surveillance operations against Iranian citizens as part of its Domestic Kitten campaign, which has been running since at least 2016.

The interesting thing about this new version of Furball is that it has no new functionality; instead, its developers slightly obfuscated class and method names, strings, logs and the C2 server URI's, as well as the names of the PHP functions that run on the server. The purpose of this appears to be to change IoC's in order to evade detection..

Another curious feature is the fact that, despite the app having comprehensive spyware functionality, most of it cannot be used because its AndroidManifest.xml file only requests the permission to access contacts. It is possible that it is simply gathering contact information which will be used in a spearphishing campaign against the real targets; alternatively, once trust is established, more permissions could be requested by an update.

Stefanko, Lukas, Domestic Kitten campaign spying on Iranian citizens with new FurBall malware, blog post, 20 October 2022. Available online at https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/.

US Government to Launch Cybersecurity Labeling Program for IoT

The Internet of Things continues to be a headache for users, bedeviled as it is by such basic vulnerabilities as unchangeable default passwords, software written by the lowest bidder, and the lack of firmware update facilities. Now, inspired by the success of the EPA and DOE's Energy Star program, the White House has announced that it will drive improved security standards for Internet-enabled devices and implement a national cybersecurity labeling program which it intends will be globally recognized (think "Energy Star for cyber").

The National Security Council held a meeting between academics, government officials and manufacturers' representative from AT&T, Cisco, Comcast, Google, Amazon, Sony, Samsung, Intel, LG and others. The FTC and NIST have been tasked with advancing improved security standards and a product labeling scheme.

Watson, Adrienne, Statement by NSC Spokesperson Adrienne Watson on the Biden-Harris Administration's Effort to Secure Household Internet-Enabled Devices, press release, 20 October 2022. Available online at https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/20/statement-by-nsc-spokesperson-adrienne-watson-on-the-biden-harris-administrations-effort-to-secure-household-internet-enabled-devices/.

UK Adopts New Architecture

Staying in the polical realm, on Thursday the British Government announced that it would now transition to a Zero Truss Architecture.

I think that's quite enough for this week . . .


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Friday, 21 October 2022, 9:18 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


CyberEspionage Group Deploys New PowerShell Backdoor

Researchers at SafeBreach have discovered what appears to be a 0day exploit which usesa malicious Word document macro to launch PowerShell scripts which infect the system. The Word document superficially looks like a job application form called "Apply Form.docm", but editing it will run a macro which drops a Visual Basic script and creates a scheduled task to run it, masquerading as part of the Windows update process.

It also creates two PowerShell scripts, which first of which connects to the attacker's C2 server, establishing a channel which is encrypted with AES-256-CBC. The second script then decrypts and executes the received commands, uploading the results in a similar way.

Taking advantage of some elementary errors by the attackers (single AES key for all victims, predictable victim ID's), the SafeBreach researchers were able to find the various commands which were waiting for the 69 or so victims; the vast majority are for exfiltration of data, while the remainder were mostly for user and system enumeration, including network and RDP connections.

Bar, Tomer, SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor, blog post, 18 October 2022. Available online https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/.

Microsoft Misconfiguration Exposes Customer Data

Micosoft Security Response Center has disclosed a vulnerability which exposed data - primarily contact details and email contents - relating to customers' relationships with Microsoft and its business partners. The vulnerability was a misconfiguration which allows unauthenticated access to a Microsoft Azure Blob Storage endpoint. Curiously, they state that the "endpoint is not in use across the Microsoft ecosystem", which sounds like a classic example of improper web API asset management.

MSRC also states that "our investigation found no indication customer accounts or systems were compromised" and the affected customers have been notified.

However, Microsoft also take issue with the way in which the researchers who discovered the exposure disclosed it, claiming they made the problem worse. SOCRadar had claimed that sensitive customer information, including product orders and offers, project details and IP for over 65,000 entities in 111 countries, going back 5 years, was exposed.

msrc, Investigation Regarding Misconfigured Microsoft Storage Location, blog post, 19 October 2022. Available online at https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/.

Uncredited, Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket, blog post, 19 October 2022. Available online at https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/.

Ransomware Gang Targets Russian Companies

Generally, ransomware gangs are equal-opportunity operators - they'll accept money from anyone after locking up their files. However, Singapore researchers at Group-IB have identified one group, OldGremlin, which they say specializes in attacking Russian firms across a range of industries.

Their motto seems to be "work smarter, not harder" - since their discovery in March 2020, the group has conducted a total of 16 campaigns, and while they only ran five campaigns this year, their ransom demands have been steadily increasing - in 2021, their biggest demand was for $4.2 million, in  2022 it grew to $16.9 million.

In order to gain initial access, the group uses well-crafted phishing emails, which often present as interview requests, commercial proposals and financial documents. They develop their own ransomware, and while they historically targeted the Windows platform, deploying well-known tools such as PowerSploit and Cobalt Strike, their most recent activities have spread to Linux. They are also stealthy; their victims are typically infected for 49 days before their ransomware is deployed.

Group-IB, Gremlins' prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records, press release, 20 October 2022. Available online at https://www.group-ib.com/media-center/press-releases/oldgremlin-2022/.

Further Criticism of (ISC)2

Former board member at (ISC)2, Wim Remes, has leveled further criticism at the certification body, pointing out the organization's poor record on member engagement. He also points out the problems with the new requirements for members to raise a petition, which would effectively make it impossible.

As Remes points out, under the new process for board elections, in which the board will submit a slate of qualified candidates equal to the number of open seats, an election is, in effect, just a coronation.

Wollacott, Emma, Security certification body (ISC)2 defends 'undemocratic' bylaw changes, The Daily Swig, 19 October 2022. Available online at https://portswigger.net/daily-swig/security-certification-body-isc-defends-undemocratic-bylaw-changes.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Thursday, 20 October 2022, 9:06 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


RCE Vulnerability In - Of All Things - Cobalt Strike

IBM X-Force researchers have found a remote code execution vulnerability in the Cobalt Strike post-exploitation C2 framework. Their interest was drawn by a September out-of-band update for Cobalt Strike which was intended to fix an XSS vulnerability (CVE-2022-39197); the release notes for this patch stated that the vulnerability could lead to RCE, and so they set about checking to see whether the patch really did fix the problem.

The researchers started by decompiling the Cobalt Strike Java client application, and took a close look at the XSS mitigation code, identifying two validator functions but realizing that the note input field was not being passed through either XSS validator. Further experimentation on the client, which is written using the Swing UI framework, revealed that it was possible to include HTML in a Swing component, and then include Java components with the HTML by using the HTML <object> tag.

From there, automated code analysis revealed the final component of the vulnerability: a deserialization vulnerability in a library which is used to load SVG (Scalable Vector Graphics) files. Putting the whole chain together, the X-Force researchers created a PoC which injects some JavaScript into the graphical file explorer menu to hook the FileNextFileA function, which allowed them to inject the name of an SVG file into the back end, which, in turn, loads the SVG which contains JavaScript code which can then load and run arbitrary Java code, right up to a full-featured back door.

Sherri, Rio, Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1, blog post, 17 October 2022. Available online at https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/.

New Google OS Based on seL4

Attendees at my CISSP review courses will have heard me talk about the seL4 microkernel, which was originally developed at UNSW under the auspices of Data61, and was spun off into its own foundation a few years ago. seL4 is unique in being a formally verified kernel; its logic was expressed in a mathematical notation (Higher Order Logic) and then interatively proven to be secure using the Isabelle proof assistant, fixing the HOL and the corresponding source code along the way until the security properties (confidentiality, integrity, availability) of the microkernel were proven.

The result is an OS kernel that is ideal for embedded systems with high security and reliability requirements, such as in avionics, medical, automotive and defence applications.

Now Google has picked up on the benefits of building security in from the ground up, rather than trying to add it later, and has created a new operating system which is intended to be a provably secure platform for embedded devices that run machine learning applications. The OS, called KataOS, is implemented almost entirely in Rust - a good move for security, since it eliminates some of the major classes of vulnerabilities such as off-by-one errors and buffer overflows.

The reference implementation of KataOS (important, since formal verification is hardware-dependent) is called Sparrow, and combines KataOS with a silicon root of trust (OpenTitan) on a RISC-V architecture. An interim release will run on 64-bit ARM running in simulation with QEMU.

Call me old-fashioned, but I'm glad to see someone taking security engineering seriously, rather than throwing a system together with COTS and then playing whack-a-mole with pentesters and bad guys.

Sam, Scott and June, Announcing KataOS and Sparrow, Google Open Source blog, 14 October 2022. Available online at https://opensource.googleblog.com/2022/10/announcing-kataos-and-sparrow.html.

seL4 Project, The seL4 Microkernel, project home page, 2022. Available online at https://sel4.systems/.

Medibank Breach Turns Nasty

Earlier this week we reported on a likely breach at healthcare and general insurer Medibank, and in response to the company's claim that, "we have found no evidence that our customer data has been accessed", I could only comment, "Let's hope they're right".

It seems they weren't, with Nine Media mastheads receiving a message from the hackers, who claim to have exfiltrated 200 GB of sensitive information and are now threatening to release it. In broken English, the hackers wrote:

“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

Medibank had also received a threat, which is was taking seriously. In the meantime, trading in Medibank shares on the ASX has been halted - a move which doubtless refocus the attention of the Medibank board members on cybersecurity.

Bonyhady, Nick and Colin Kruger, Medibank hackers threaten to release stolen health data in ransom demand, The Age, 19 October 2022. Available online at https://www.theage.com.au/technology/medibank-hackers-threaten-to-release-stolen-health-data-in-ransom-demand-20221019-p5br2s.html.

Russia Buys Chips from China, Finds 40% Are Duds

Sanctions against Russia are hitting its electronics manufacturing sector, quite possibly affecting its ability to produce weapons systems. Prior to the imposition of sanctions, Russia was able to buy semiconductor components on the open market, and in those days approximately 2% of parts were faulty. But bear in mind that 2% is quite damaging, since a typical product has multiple components. With 10 components, a completed circuit board has a reliability of just 82% (or a failure rate of 18%).

But with a 40% failure rate, almost nothing is going to work (do the math: for one component, the reliability is 60% or 0.6, but with 10 components, \(.6^{10}\) or 0.006 - that is, 0.6% of completed boards will work. A 99% failure rate.

It seems that China is capitalizing on the fact that Russia is caught between a rock and a hard place. This is also a useful reminder that not only the software supply chain has its vulnerabilities.

Sharwood, Simon, China dumps dud chips on Russia, Moscow media moans, The Register, 18 October 2022. Available online at https://www.theregister.com/2022/10/18/russia_china_semiconductro_failure_rates/.

Soccer Fans: Qatar Wants You (Or Your Data, More Likely)

According to a report in Norwegian media outlet NRK, two mobile apps which everyone (over 18) visiting Qatar for the soccer World Cup will have to install, pose a very severe risk to privacy.

The first app, called Ehteraz, is a COVID-19 tracking app (haven't we moved on from these?). Alarmingly, it asks for a lot of privileges on the phone, including acess to read, delete and change all content on the hone, the ability to connect to wi-fi and Bluetooth, to override other apps and to prevent the phone from switching off to sleep mode. It also accesses accurate location services, make calls and even disable the screen lock.

The other app, called Hayya, is used to access event tickets as well as the Metro public transit system. It also accesses accurate location services, network connections, and disables sleep mode, but also asks for permission to share the user's personal information with almost no restrictions.

Experts consulted by NRK agree that the apps are very intrusive, with no granularity of control over permissions and no ability to opt out: the apps are mandatory. Anyone attending the World Cup should undoubtedly acquire a burner phone and limit their access to cloud services. Employers should prohibit the use of work devices and applications by employees visiting Qatar.

Sande, Egil, et. al., Everyone going to the World Cup must have this app - experts are now sounding the alarm, NRK, 14 October 2022. Available online at https://www.nrk.no/sport/everyone-going-to-the-world-cup-must-have-this-app---experts-are-now-sounding-the-alarm-1.16139267.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Wednesday, 19 October 2022, 6:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


More Ransomware Attacks Target Ukraine, Poland

Microsoft Threat Intelligence Center (MSTIC) has been tracking a ransomware campaign rageting logistics and transportation firms in Ukraine and Poland. This follows earlier attacks on the same industry, presumably to weaken Ukraine's defences against Russia, but is quite distinct from the previous attacks, which used AprilAxe (ArguePatch) / CaddyWiper or Foxblade (HermeticWiper) to target Ukrainian critical infrastructure over the last two weeks.

The new malware identifies itself, in its ransom note, as "Prestige ranusomeware", and was deployed over a one-hour period on 11 October. In all cases, the attacker had already gained highly-privileged access, such as domain admin privileges - perhaps from a previous compromise. Three distinct methods were used to deploy the ransomware; two copy the malware to the ADMIN$share on a remote system and  make use of the Impacket WMIexec tool to either create a scheduled task or run a PowerShell command to run it. The second technique copies the payload to an AD domain controller and then distributes it via Group Policy.

The MSTIC report provides a complete analysis, IoC's and recommended customer actions.

Microsoft Threat Intelligence Center, New "Prestige" randomware impacts organizations in Ukraine and Poland, blog post, 14 October 2022. Available online at https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/.

Yet Another Australian Privacy Breach

Australia continues a long streak of privacy breaches - or perhaps it's just that the media, with heightened awareness following last month's Optus breach, is keener to report them. The latest victim is online wine dealer Vinomofo, which reports that "an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website".

Vinomofo is believed to have approximately half a million customers, but it is not clear how much, or what kinds of, information was accessed, but likely at risk are names, addresses, email addresses, phone numbers and - required for alcohol sales - dates of birth. The company has reported the breach and warned customers to be alert for scam activity.

Shepherd, Tory, Vinomofo data breach: 500,000 customers at risk after wine dealer hit by cyber-attack, The Guardian, 18 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/18/vinomofo-data-breach-cyber-attack-hack-australian-wine-seller.

QAKBOT Adds Brute Ratel as Second Stage

QAKBOT, which first emerged as an infostealer in 2007, gradually morphed into a 'malware-installation-as-a-service' model that was often a precursor to ransomware infections. Now, Trend Micro researchers report on a new phase of QAKBOT operations, shifting to the distribution of the recently-cracked Brute Ratel post-exploitation framework.

The new campaign starts with a spam email containing a malicious link to a password-protected .ZIP file which, in turn, contains a .ISO file- likely a way to escape the Windows "Mark of the Web" which flags files downloaded from the Internet as untrusted. The .ISO image contains a shortcut named "Contract" along with two hidden subdirectories, which in turn contain the actual malware. A JavaScript fragment runs a batch file which then invokes the QAKBOT DLL.

Ten minutes later, the malware makes contact with the QAKBOT C2 servers, and then waits a further 6 minutes before performing some automated reconnaisance using LOLbin commands. Five minutes later, it drops the Brute Ratel DLL, and a few minutes after that, manual reconnaisance activities begin.

Curiously, Cobalt Strike is used for lateral movement which, if not stopped, will likely end with domain-wide ransomware deployment.

Kenefick, Ian, Lucas Silva and Nicole Hernandez, Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike, blog post, 12 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Tuesday, 18 October 2022, 9:15 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Fashion Company Fined for Privacy Breach Coverup

The parent company of women's fashion site Shein has been $US1.9 million following an investigation by the Attorney General's office in New York State. The investigation found that the company had failed to properly safeguard customer data, using a weak hashing algorithm, storing some credit details as plaintext and failing to reset customer passwords or otherwise protect accounts following the breach.

Shein minimized the impact of the breach, stating only that the names, email addresses and "encrypted password credentials" of approximately 6.42 million customers had been stolen. In fact, 39 million accounts were exposed, worldwide, with only a small fraction being notified. Worse still, the claim that the company had "seen no evidence that credit card information was taken from our systems" was blatantly false, since it was unaware of the breach until notified by a payment processor that its systems appeared to have been compromised and card data stolen.

The company, Zoetop Business Company, Ltd, will now have to maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice and prompt password resets.

Cluely, Graham, Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach, Bitdefender blog, 18 October 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/fine-for-shein-fashion-site-hit-with-1-9-million-bill-after-lying-about-data-breach/.

PHP Infostealer Masquerades as Cracked Software Installer

The Ducktail Infostealer has been operating since late 2021, and is attributed to an otherwise unidentfied Vietnames threat group. It was based on a binary written using .NetCore, and used a Telegram channel for C2. The campaign targeted users with access to their employers' Facebook Business accounts, with the intent of stealing data and hijacking the accounts.

A new variant has now emerged, written - somewhat curiously - in the PHP programming language. The malware masquerades as a free or cracked installer for a variety of applications, including games, Microsoft Office, Telegram and other programs, and is distributed in ZIP file format via a number of file sharing platforms. The new version looks for a broader range of information, including browser cookies, cryptocurrency account information and more, although it  still searches Facebook Business accounts and related pages. The new variant also has a new C2 mechanism, exchanging JSON messages with a dedicated web server, where it also stores exfiltrated data.

Dewan, Tarun and Stuti Chaturvedi, New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts, Zscaler blog, 13 October 2022. Available online at https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts.

Red Team / Blue Team Visualization Tool

The US Cybersecurity & Infrastructure Security Agency has released RedEye, an interactive open-source analytic tool to visualize and report red team command and control activities. RedEye allows Blue Teamers to quickly assess complex data and evaluate mitigation strategies, enabling effective decision making.

CISA, RedEye -visualizing Penetration Testing Engagements, YouTube video, 15 October 2022. Available online at https://www.youtube.com/watch?embed=no&v=b_ARIVl4BkQ.

cisagov, RedEye, GitHub repository, 15 October 2022. Available online at https://github.com/cisagov/RedEye/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Monday, 17 October 2022, 5:58 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Dutch Police Exploit Bitcoin Slowness to Recover Ransomware Keys

The Dutch National police have been able to recover over 150 ransomware decryption keys from the Deadbolt ransomware gang and, presumably, restore file access for the victims. The technique they used was suggested by security firm Responders.NU, and relies on the way in which Bitcoin confirms transactions.

After a Bitcoin node verifies a transaction it then transmits the transaction to its neighbours. Sooner or later, the transaction will be picked up by Bitcoin miners, which will assemble the transaction into a candidate block and then try to validate the block, which typically takes around ten minutes. Once one succeeds, it will be incorporated into the blockchain and broadcast. However, to be considered irreversible, a transaction needs to be six blocks deep in the blockchain, which will take around an hour, before it is confirmed.

Therein lies the problem for the DeadBolt gang: when a victim paid the ransom, the DeadBolt automated system would create an automated bitcoin transaction in reply, containing the decryption key, without waiting for confirmation. The police then simply canceled the original transactions. Together with the police, Responders.NU created a website (https://deadbolt.responders.nu/) where DeadBolt victims who have not yet been identified can check whether their key is one of those recovered.

It was nice while it lasted, but inevitably, the gang discovered what was going on and modified their system to require Bitcoin confirmation.

Uncredited, Unique intervention on ransomware gang Deadbolt, news release, 14 October 2022. Available online at https://www.politie.nl/nieuws/2022/oktober/14/09-nederlandse-gedupeerde-geholpen-in-unieke-ransomware-actie.html.

Magniber Ransomware Spreads As JavaScript

Because it needs to needs access to low-level operating system API's to perform file encryption - not to mention disabling protection features like Windows' volume shadow copy service - ransomware generally needs to be a native binary executable, and will often rely upon some other exploit code to perform the initial infection.

However, in September HP Wolf Security detected a ransomware campaign that targeted home users with a website drive-by attack, using a ZIP file containing JavaScript code which would masquerade as a software update. The JavaScript code used a twist on the DotNetToJScript technique, allowing it to assemble and run a .NET executable in memory. The advantage of this technique is that by not creating a file, the malware evades detection tools that monitor file creation, and also leaves nothing behind on disk for analysts to use. The .NET code also de-obfuscates some shellcode and injects it into another process, which then runs the actual ransomware code.

From here, the code follows the well-trodden path of disabling backup and recovery features, then encrypting files before placing a ransom note in each directory and opening a browser window to display it.

Although this campaign targeted home users, enterprises can expect similar attacks as other groups pick up on this fileless approach to evading detection. The report from HP Threat Research provides further details, including IOC's.

Schläpfer, Patrick, Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates, blog post, 13 October 2022. Available online at https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/.

Microsoft Office Coders Make Rookie Crypto Mistake

Attendees at our SE221 CISSP Fast Track courses are familiar with the various techniques (OpenPGP, S/MIME, etc.) which are used for end-to-end email security. Equally, they are familiar with the dangers of using ECB (Electronic Code Book) mode with symmetric block ciphers: ECB is vulnerable to a variety of attacks - especially chosen-plaintext and chosen-ciphertext attacks - but worst of all will leak information when used to encrypt plaintext that has large-scaled structure imposed on repeated small sequences of data, such as bitmapped graphics.

This has caused lots of problems over the years - for example, when everyone switched to Zooming from home in 2020, it didn't take long for someone to discover that Zoom was using ECB mode to encrypt video and audio. Adobe's giant data breach of 2013 - which affected over 3 million customers - was, at base, down to exactly the same problem.

But the Redmondites have always considered themselves the smartest men in the room, and so everyone else's experience didn't stop them from using ECB mode in Office Message Encryption (OME) and - worst of all - to stick with it despite the risks. Now Finnish security consultancy, With Secure, has pointed this out to the world, and also notified it as a vulnerability to Microsoft - only to be told,

"The report was not considered  meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report."

At the very least, the Microsofties should have used Cipher Block Chaining mode, although they would probably have shot themselves in the foot with a weak way of selecting an initialization vector. Better still, use Galois Counter mode, which is both efficient and also provides authenticity of origin. There is no mitigation, short of switching to S/MIME or OpenPGP email encryption; that will at least limit the impact to Microsoft's reputation only.

Sintonen, Harry, Microsoft Office 365 Message Encryption Insecure Mode of Operation, blog post, 14 October 2022. Available online at https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation.

Woolworths Suffers Data Breach, Medibank Hit By Ransomware?

Two more Australian companies have disclosed cyber-attacks. Supermarket giant Woolworths lost control of an estimated 2.2 million customer records via the MyDeal online shopping site, of which they acquired 80% in September. While only the email addresses were leaked for 1.2 million customers, roughly a further million also had their names, phone numbers, delivery addresses and, in some case, birth dates exposed.

The saving grace for Woolworths is that MyDeal operates on a completely separate platform from the parent company. It seems that access was gained via compromised user credentials - perhaps a phishing attack?

And on Wednesday of last week, insurance group Medibank "detected unusual activity on its network" and by the following morning had taken immediate containment actions as well as engaging external assistance. The insurer shut down some customer-facing systems and also cut them off from internal customer support staff.

The affected systems seem to have been restricted to their 'ahm' general insurance subsidiary as well as health insurance for international students. By late Friday, the company had restored services and stated that "we have found no evidence that our customer data has been accessed".

Details are scant, but to the less-than-casual observer, this incident just screams ransomware. Let's hope they're right about exfiltration . . .

AAP, Woolworths says 2.2 million MyDeal customers' details exposed in data breach, The Guardian, 15 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/15/woolworths-says-22-million-mydeal-customers-details-exposed-in-data-breach.

Uncredited, Medibank cyber incident - Important information for our customers, web page, 14 October 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.


News for CISSP's


(ISC)2 Moving to Eliminate Board Elections?

The International Information Systems Security Certification Consortium, (ISC)2, which oversees the CISSP, CCSP and other industry certifications, came under criticism from members a few weeks ago for the fact it put forward five candidates - and only five candidates - for the five open board positions, despite the fact that many others had nominated for the election.

At a subsequent Town Hall, the CEO dismissed concerns, stating that the board needed more representation from non-US members (although many of the nominees discounted were from outside the US). Now it seems that the organization is further seeking to disenfranchise the membership, with a number of questionable amendments to the bylaws, which 'members' will have to vote on over the next month, starting on 16 October.

Some of the changes are fairly obvious and sensible, but towards the end of the list they become contentious, especially this section:

Updates related to future Board of Directors elections include:

  • Changing election language to clarify that the Board of Directors will submit a slate of qualified candidates to the membership equal to the number of open seats
  • Modifying the signed written petition rules to require 1% of overall membership in good standing
  • Removing the option for a write-in candidate

Finally, the last change is to the annual meeting of the members which updates the right of petition language from 500 signatures to 1% of the global membership in good standing, to align with the updated petition requirement for elections.

Note that this not only enshrines the unpopular practice of the Board selecting the election candidates, but also raises the bar for petitions from 500 signatures to 1% of the overall membership - which equates to approximately 1500 signatures, which is going to be impossible in practice (especially outside the US).

Concerned CISSP Stephen Mencik has proposed an alternative set of changes to the bylaws, including the addition of external directors (with particular responsibility for the Ethics subcommittee), improved remote participation (to encourage international diversity) and especially more openness and transparency in the board election process. Mr. Mencik is seeking support (500 signatures required - for now) and interested readers are encouraged to review his proposals and endorse them, at https://jsweb.net/isc2/.

In any case, we recommend that readers who are certified take time to read the details of the proposed changes to bylaws, including the full 35 pages of the 2022 Annual Meeting and Bylaws Proxy Materials (below), and carefully consider them before voting.

(ISC)2 Management, Proposed Amendments to (ISC)2 Bylaws - Member Vote Opens Soon, blog post, 7 October 2022. Available online at https://blog.isc2.org/isc2_blog/2022/10/proposed-amendments-to-isc2-bylaws-member-vote-opens-soon.html.

Proxy Materials for Annual Meeting of the Members, International Information Systems Security Certification Consortium, Inc, 5 October 2022. Available online at https://www.isc2.org/-/media/956A62F1A1084D45A6D3AF4AC9E25EFA.ashx.

Mencik, Stephen, ISC2 By-Laws Changes Proposal, web page and petition form, undated. Available online at https://jsweb.net/isc2/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Monday, 17 October 2022, 5:58 AM ]
 
Les Bell
by Les Bell - Friday, 14 October 2022, 7:45 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Thermal Attacks Crack Passwords

Researchers at the University of Glasgow have developed a system called ThermoSecure which can crack passwords by using a thermal imaging camera to take a photo of a keyboard after a user has typed a password. Images captured by the camera appear more bright the more recently they were touched, and with some assistance from AI, the system can crack 86% of passwords when images taken within 20 seconds of the user typing.

Although the success rate dropped to 76% when images were taken within 30 seconds and 62% after 60 seconds. The success rate drops as passwords got longer - six-character passwords were always breakable , but even with passwords of 16 characters, the system could break 67% of passwords after 20 seconds.

Suggested mitigations include using backlit keyboards, as these produce more heat, or switching to alternative authentication mechanisms such as biometrics.

Barker, Dan, Heat from fingertips can be used to crack passwords, researchers find, Evening Standard, 10 October 2022. Available online at https://www.msn.com/en-us/news/technology/heat-from-fingertips-can-be-used-to-crack-passwords-researchers-find/ar-AA12NcEW.

Room Temperature Quantum Network Repeater for Brooklyn Navy Yard

Quantum networking startup Qunnect has announced a round of funding that will permit it to build a testbed quantum key distribution network linking buildings in Brooklyn's historic Navy Yard. The Qunnect hardware is unique in that it operates at room temperature and can fit in conventional server racks.

To date, Qunnect has received funding from the DoE and other government agencies, but has announced $US8 million in funding from Airbus Ventures, The New York Ventures Fund, and others.

Current quantum key distribution devices work by transmitting photons over fiber optic cables, but are subject to light attenuation, which loses more photons as the cable length increases. This means the networks need repeaters, which are the obvious vulnerable point in a QKD network. Qunnect's devices use lasers to create pairs of entangled photons, one of which is temporarily stored in a phial of rubidium vapour while the other is sent over the fiber to the next repeater, where it is entangled with a photon from another pair, and the process continues.

By using the rubidium vapour quantum memory, rather than conventional semiconductor memory, the repeater assures confidentiality; any attempt to observe the quantum state will collapse it, triggering the generation of a new key. And although preserving quantum state is notoriously tricky, rendering quantum computers vulnerable to noise, the Qunnect device can store and release the quantum state of single photons with 95% fidelity, and for up to 0.8 ms, which is enough for communication over "metropolitan scale" quantum networks.

Pasternack, Alex, A new quantum network in Brooklyn opens the door to an untappable internet, Fast Company 12 October 2022. Available online at https://www.fastcompany.com/90793603/a-new-quantum-network-in-brooklyn-opens-the-door-to-an-untappable-internet.

Timing Attack Opens Possibility of Supply Chain Attacks in Private NPM Packages

As expected, the NPM registry API will return an HTTP 404 (Not found) response code for private packages when queried by an unauthenticated and unauthorized user. However, researchers at Aqua Nautilus have discovered that there is a significant difference in the time taken to return this result for a private package that does not exist vs a private package that does exist.

This leaks information about the existence of private packages, including packages that were once public but were converted to private. From this, the attackers can create malicious packages in NPM's public scope; leading to a supply-chain attack.

Kadkoda, Yakir, Private npm Packages Disclosed via Timing Attacks, blog post, 12 October 2022. Available online at https://blog.aquasec.com/private-packages-disclosed-via-timing-attack-on-npm.

Drones Used to Deliver Wi-Fi Credential Stealer, Access Confluence Page

Greg Linares reports, via Twitter, the discovery of a sophisticated attack on a financial services company involving the use of two DJI drones to deliver tools to the rooftop of the company's building.

The first drone, a DJI Phantom, was carrying what was described as a 'modified Wifi Pineapple Device' - a specialised Wi-Fi pen-testing device from Hak5. This was used to capture the credentials of a user, which could then be used to access the corporate wi-fi network. Having obtained these credentials, the attackers then hard-coded them into a second set of tools - a "Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another wifi device" - loaded onto the second drone, a DJI Matrice 600.

This landed near an HVAC vent and was slightly damaged, but still operable, and was used to target a Confluence page on the intranet. This activity was detected, an investigation launched and quickly focused on the wifi network when it was discovered that the user whose credentials had been used was logged in both via the wifi and from home several miles away. Signal tracing and investigation with a Fluke wifi tester led the team to the roof, where the drones were discovered.

Linares, Greg, This will be a thread discussing ..., Twitter thread, 11 October 2022. Available online at https://twitter.com/Laughing_Mantis/status/1579550302172508161.

Yet Another Attack Framework

Cisco Talos researchers have discovered yet another attack framework which they assess, with moderate confidence, is being used in the wild. The framework, which is delivered as a single 64-bit Linux executable, has RAT payloads compiled for Windows and Linux, and is written in the Go programming language.

'Alchimist' [sic], and its matching C2 tool, has a web interface written in Simplified Chinese. It can generate a configured payload, establish remote sessions, deploy a payload to its victims, capture screenshots, run shellcode remotely and run arbitrary commands.

In most respects, Alchimist is similar to the Manjusaka C2 framework previously reported by Talos; the only major difference is that Manjusaka makes use of the Gin web framework and an existing asset bundling framework called packr, while Alchimist implements those features as native Go code.

Raghuprasad, Chetan, Asheer Malhotra and Vitor Ventura, Alchimist: A new attack framework in Chinese for Mac, Linux and Windows, blog post, 13 October 2022. Available online at https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Thursday, 13 October 2022, 6:51 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


DNS Cache Poisoning Allows Website Account Takeovers

DNS cache poisoning has long been identified as a potential attack vector. The problem is this: DNS requests for name->address lookups contain a randomly-set ID field, and the client resolver or caching DNS that sends such a request will only accept a reply that contains the matching ID. But with only a 16-bit ID field, this is vulnerable to a birthday paradox attack - by triggering lots of such requests, and jamming in spoofed replies with his chosen IP address, the attacker can eventually (and surprisingly quickly) insert the address he wants to send victims to as part of a pharming or other attack.

The fix for this is to add more randomness by randomizing the UDP (or TCP, for large queries) port that sends the request and expects the reply; this will give roughly a 60,000-fold increase in the difficulty of this attack. Other mitigations include using DNSSEC, or running DNS over TLS.

However, by using a clever trick of getting web servers to send email confirmations for account sign-ups, researchers at SEC Consult have been able to profile several thousand domains, and discovered that a significant proportion of web servers have not implemented these controls and remain vulnerable to cache poisoning. They have gone on to develop a proof-of-concept attack that will inject a fake MX (mail exchanger) record into a caching DNS or resolver, allowing a password reset email to be sent to the attacker, leading to account takeover. Although they have used this to achieve the full takeover of fully patched WordPress instances, the same technique could be applied to most web servers and sites.

Longin, Timo and Clemens Stockenreitner, Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style, blog post, 6 October 2022. Available online at https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style/.

BazarCall Evolves, Ramps Up Attacks

The BazarCall spin-off of the Conti ransomare gang, which we first mentioned in Security News: 2022-08-12, is ramping up its attacks around the world and evolving new social engineering tactics. The basic tactic starts with a fake email containing an invoice with a unique number, together with a phone number which the recipient can call to cancel a renewal or otherwise dispute the transaction.

Now, researchers at Trellix have captured samples of BazarCall emails and called the phone numbers to learn their tactics and their scripts - of which there are now many. The initial emails now impersonate many brands such as Geek Squad, Norton, McAfee and others. A common tactic to all the phone scripts that follow is that the scammers ask for the unique invoice number and use it to look up the victim's email address, along with their name, address, the amount of the supposed invoice, etc. This all makes the scammer sound like an authentic customer service agent.

From there, the scripts diverge; but in general, the scammer will alarm the victim into thinking their account has been compromised, possibly through some kind of malware that has infected their computer. From there, the script begins to resemble a classic tech support scam call; the scammer will convince the victim to download a trojan dropper which will, in turn, download either remote access software or some other malware which gives persistent access and allows credential stealing, or perhaps ransomware.

Kapur, Daksh, Evolution of BazarCall Social Engineering Tactics, blog post, 6 October 2022. Available online at https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html.

Microsoft (Optionally) Locks Out Admin Accounts

One of the classic attacks on Windows machines is brute forcing local admin accounts, using protocols like RDP (Remote Desktop Protocol). I suspect some readers weren't even born in the heyday of tsgrind and similar tools, which worked because Windows did not support account lockouts on admin accounts.

All this changes today. As of the 11 October 2022 or later cumulative updates, Microsoft has implemented account lockouts. The policy can be found in the registry under

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies

The policy is not enabled by default on existing installs, and Microsoft recommends also setting the related policies to 10/10/10 - that is, 10 failed login attempts within 10 minutes will cause a 10-minute lockout. However, the policy will be enabled by default on new system installs.

Colour me sceptical; the original reason for leaving admin accounts out of lockout policies was that an attacker could implement a very effective DoS attack by simply trying a few logons and locking the legitimate admin - possibly the main user account with admin privileges - out of his own machine, and it will be interesting to see how many threat actors pick up on this technique.

Microsoft claims brute force attacks are "becoming trivial with modern CPUs/GPUs", although in practice the limiting factor is network latency, and compute power is really only relevant to offline attacks such as dictionary and Rainbow Tables attacks

In other dubious moves, Microsoft is now enforcing password complexity on new machines if a local administrator account is used, requiring at least three of the four basic character types (lower case, upper case, numbers and symbols). I thought we had abandoned password superstitions like these - in fact, NIST SP 800-63B advises against them. Still, it's good to see Not Invented Here syndrome is still rampant in Redmond.

Uncredited, KB5020282 - Account lockout available for local administrators, web page, 11 October 2022. Available online at https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00.

Google Ups Gmail, Android, Chrome Security

At its annual Next conference, Google has announced that it will extend client-side encryption to more Enterprise and Education plans. This will provide end-to-end encryption for email users, but details are sparse, and it is not clear what protocols will be supported (OpenPGP?S/MIME?) and whether other email clients will be supported. However, enterprise customers will be able to control the keys.

In another security-related announcement, the company has added support for FIDO/W3C passkeys to both Android and Chrome, making the feature available to developers immediately via the Google Play Services beta and Chrome Canary. On Android, passkeys will allow users to sign into a website by simply confirming which account they want to use and then presenting their fingerprint, face image or screen unlock pattern/PIN when prompted. The phone passkey can also be used to sign into a website on a nearby computer. This will include cross-platform support, since passkeys are also supported by Apple and Microsoft.

Finally, Intel and Google have launched a new chip called an E2000 Infrastructure Processing Unit (also codenamed 'Mount Evans'), which offloads some network protocol processing and I/O and also improves the separation of virtual machines in cloud servers. The chip will be sold to other companies, but Google are already using it in a new class of VM's they call 'C3'.

Khalili, Joel, Gmail is getting the security upgrade it's always needed, TechRadar Pro, 12 October 2022. Available online at https://www.techradar.com/news/gmail-is-getting-the-security-upgrade-its-always-needed.

Lee, Jane Lanhee, Intel and Google Cloud launch new chip to improve data center performance, Reuters, 11 October 2022. Available online at https://www.reuters.com/technology/intel-google-cloud-launch-new-chip-improve-data-center-performance-2022-10-11/.

Mehta, Nirav, The next wave of Google Cloud infrastructure innovation: New C3 VM and Hyperdisk, Google Cloud blog, 11 October 2022. Available online at https://cloud.google.com/blog/products/compute/introducing-c3-machines-with-googles-custom-intel-ipu.

Zavala, Diego, et. al., Bringing passkeys to Android & Chrome, Android Developers Blog, 12 October 2022. Available online at https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: